Access control is the set of mechanisms that decide who — or which process — is allowed to access a resource, and in what way. It is the answer to the OS’s second security question: after authentication establishes who you are, access control determines what you can do. Every file permission check, every firewall rule, and every VM isolation boundary is an access control decision.

Access Control Models

Three main models appear across modern systems. Understanding which model a system uses tells you a lot about its security properties.

DAC — Discretionary Access Control

In DAC, the owner of a resource decides who can access it. The OS enforces whatever the owner specifies, but the owner is free to grant or revoke access at will. Example: Linux chmod. You own report.txt, so you decide whether your colleagues can read it. You can make it world-readable with chmod 644 report.txt or lock it down to yourself with chmod 600 report.txt. Risk: Malware running as you inherits your permissions and can modify your files, change their permissions, or exfiltrate data — all without violating any access control rule, because you are the owner.

MAC — Mandatory Access Control

In MAC, a system-wide policy decides permissions. Individual users cannot override it, even if they own the resource. Example: SELinux on Linux. A web server process (httpd) is labeled with a security context that allows it to read web content directories but not /home user directories — even if the web server process is running as root. The system policy overrides discretionary ownership. MAC is used in high-security environments and is the model behind iOS and Android app sandboxing. An app cannot access another app’s data regardless of what the user or app owner wants, because the OS policy forbids it.

RBAC — Role-Based Access Control

In RBAC, permissions are assigned to roles rather than individual users. Users are then assigned to roles. This is the most common model in enterprise systems and cloud platforms. Example: A database admin role grants SELECT, INSERT, UPDATE on the database. A developer gets the developer role; they inherit those database permissions without needing individual grants. When someone leaves the team, you remove them from the role. RBAC reduces administrative overhead and makes permission reviews tractable — you audit roles, not thousands of individual user-permission pairs.

Unix File Permissions (POSIX Model)

Unix and Unix-like systems (Linux, macOS) implement DAC using the POSIX permission model. Every file and directory has three permission sets: owner, group, and others. Each set has three bits: read (r), write (w), and execute (x). 
# View permissions with ls -l
$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2847 Nov 27 09:12 /etc/passwd
#  ^^^  ^^^  ^^^
#  rwx  r--  r--
#  own  grp  oth
The first character indicates the file type (- for regular file, d for directory). The next nine characters are three groups of rwx.

Reading permissions symbolically

-rwxr-xr--
│└──┬──┘└──┬──┘└──┬─┘
│  owner  group  others
│  rwx    r-x    r--
│  7      5      4
file type

Reading permissions as octal

Each rwx group maps to a three-bit binary number, which converts to octal:
BinaryOctalSymbolicMeaning
1117rwxread + write + execute
1106rw-read + write
1015r-xread + execute
1004r—read only
0000---no permissions

Common permission patterns

# Private file — owner read/write only
chmod 600 ~/.ssh/id_rsa

# Executable script — owner rwx, group and others read+execute
chmod 755 deploy.sh

# Config file — owner read/write, group read, others nothing
chmod 640 /etc/app/config.conf

# Publicly readable file — everyone can read, only owner can write
chmod 644 /var/www/html/index.html

Changing ownership

# Change file owner
chown alice report.txt

# Change owner and group
chown alice:developers report.txt

# Recursively change a directory tree
chown -R www-data:www-data /var/www/html

SUID — the privilege escalation risk

The Set User ID (SUID) bit lets a program run with the permissions of its owner rather than the user executing it. The canonical example is passwd: standard users need to update /etc/shadow (readable only by root), so /usr/bin/passwd is owned by root with SUID set, granting temporary root access during execution. 
# Spot SUID binaries — the 's' in owner execute position
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 64152 May 30 2024 /usr/bin/passwd
#    ^
#    s = SUID set

# Find all SUID binaries on the system
$ find / -perm -4000 2>/dev/null
SUID root binaries are a primary target for privilege escalation. If any SUID binary has a vulnerability (buffer overflow, command injection), an attacker can exploit it to gain a root shell. Audit SUID binaries regularly and remove the bit from anything that does not require it.

Firewalls

A firewall is a security device or software that filters network traffic based on rules, deciding which connections to allow or block. Firewalls operate at the network level and enforce access control for network resources rather than file system resources. A firewall rule typically specifies:
  • Source IP or network
  • Destination IP or network
  • Port number or range
  • Protocol (TCP, UDP, ICMP)
  • Action (allow, drop, reject)
# Linux iptables — block all inbound except SSH (port 22) and HTTPS (port 443)
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# List current rules
iptables -L -v -n
Firewalls filter by port and IP, but they cannot inspect the content of encrypted traffic or detect malware embedded in allowed traffic. If you allow port 443 (HTTPS) and a user downloads malware over that connection, the firewall cannot stop it. Firewalls are one layer in a defense-in-depth strategy, not a complete solution.

Virtualization Hardening

Access control in virtualized environments extends beyond individual OS permissions to the management of the virtualization layer itself.

Network Segmentation

Network segmentation splits your infrastructure into separate network segments or VLANs so different types of traffic stay isolated. In a virtualized environment this means:
  • The hypervisor management interface sits on a separate, restricted management network — not reachable from guest VMs or the public internet
  • Guest VM networks are isolated from each other unless explicit connectivity is configured
  • Storage traffic runs on its own segment, separate from application traffic
If a guest VM is compromised, network segmentation limits how far the attacker can move. They cannot directly reach the hypervisor management console because it is on a network the guest VM has no route to.

Immutable Images

An image (or template) is a preconfigured snapshot used as a base to spin up new VMs or containers consistently. An immutable image takes this further: once deployed, the running instance is never modified. If a change is needed, you build a new image and redeploy. This approach has strong security properties:
  • Drift is impossible — every running instance matches a known, audited image
  • Compromise is contained — an attacker who modifies a running container’s filesystem will have those changes wiped on the next deployment
  • Rollback is trivial — redeploy the previous image

Orchestration Security

Orchestration tools like Kubernetes automate the deployment, scaling, and networking of containerized workloads. Misconfigurations in orchestration systems are a significant attack surface:
  • Over-privileged service accounts — containers that run with cluster-admin permissions can escape their intended boundaries
  • Exposed management APIs — the Kubernetes API server must not be publicly accessible without strong authentication
  • Default deny network policies — without explicit network policies, all pods in a cluster can communicate with each other; apply default-deny and explicitly allow only required traffic
Apply the principle of least privilege at every layer: containers should run as non-root users, with read-only filesystems where possible, and with only the Linux capabilities they actually need.